Microsoft to streamline Windows 8's patch process

Tweaks to updating, rebooting of patched PCs will improve security, say experts

Microsoft will reduce the number of distracting restarts for updates to Windows 8, part of its plan to simplify how people interact with the upcoming operating system, a company manager said today.

Security experts, including ones who have criticized Microsoft's updating practices in the past, applauded the changes.

"Streamlining the update effort and the better messaging is smart," said Wolfgang Kandek, chief technology officer with Qualys. "I like the improvements."

Some, though not all, of Microsoft's security and feature updates demand a PC reboot to finish installation because the code slated for changing is currently in use, said Farzana Rahman, the group program manager for Windows Update, in a long blog post today.

"One of the most discussed topics [about updating Windows] is the disruptiveness of restarts in the course of automatic updating," said Rahman. "And for good reason -- restarts can interrupt you right in the middle of something important."

Windows 8 will be less unsettling, Rahman promised, and ticked off several changes that will debut with the new OS.

On-the-desktop notifications will disappear, she said, referring to the pop-ups displayed on the Windows 7 taskbar, even when users have explicitly asked that updates be automatically downloaded and installed.

More importantly, Windows 8 will hold all restarts until after Patch Tuesday, the security update release always slated for the second Tuesday of the month.

When one or more updates does require a PC restart, Windows 8 will alert users in a message on the log-in screen that persists for three days. Microsoft picked that timespan because its telemetry said about 60% of Windows 7 users had completed update download and installation in the first three days after an update's release.

If a user doesn't select a restart at the log-in screen after three days, Windows 8 will do it, either at the end of the grace period or if critical applications are still open, automatically the next time a user logs in.

"This way through the log-in screen is great," said Kandek, who added he thought it was the logical place to remind users to reboot, and would probably get more people to update faster than they do now.

IT administrators will still be able to set a group policy that sidesteps automatic rebooting -- just as they can now with Windows 7 -- Rahman said.

Andrew Storms, director of security operations at nCircle Security, supported the changes slated for Windows 8, but issued a caveat. "The risk is that if we get a bad patch, then bad things happen without our control," said Storms.

Microsoft has issued patches that have crippled PCs, most notably in early 2010 when it pushed a patch for Windows XP that sent machines into a "blue screen of death" spiral.

In that instance, Microsoft eventually confirmed that the blue-screened PCs had been previously infected with the "Alureon" rootkit, and reissued the update once it figured out how to detect those infected machines and not offer them the update.

Noting that even Microsoft has said infected PCs were often those whose owners had not bothered to apply patches, Storms leaned toward an optimistic outlook on the changes in Windows 8.

"The reboot requirement for certain patches has hindered Microsoft's ability to successfully complete patch installation," Storms said. "Making the reboot process less painful should decrease users' risk as patches will be completely installed faster."

Both Kandek and Storms see the changes set for Windows 8 as a continuation of Microsoft's trend -- actually the software industry's overall -- toward "quieter" updates. "To some degree, the world of end-user systems is already migrating to the automatic or silent updates," Storms argued.

Other software vendors, including Google and Mozilla, have or are creating silent updates for their Chrome and Firefox browsers that work invisibly in the background.

Microsoft said that it would make exceptions to the new Windows 8 rules on updating, the notifications users see and the timing of reboots only when it released an emergency, or "out-of-band" patch.

In that case [of a fix for a critical worm-like vulnerability], Windows Update will not wait, but will go ahead and download, install, and restart 'automatically,'" said Rahman "But this will happen only when the security threat is dire."

Rahman also touted the Windows Store, the Microsoft-made app store that will distribute "Metro" apps as well as traditional desktop applications, as a boon to security, since the e-market will include an integrated update service to guarantee apps are always up-to-date.

"That will be a nice boost for computer security overall for both individuals and enterprises who use the app store, said Kandek. "As more apps go [to the Windows Store], there's lots of potential for faster updates."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is

See more articles by Gregg Keizer.

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon